August 16, 2016

systemd in docker

Updated on 26 November 2017

Running systemd in docker

This should be pretty simple:

$ docker run --rm -ti -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run/systemd/system --cap-add SYS_ADMIN centos:7 /usr/lib/systemd/systemd --system
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected architecture x86-64.

Welcome to CentOS Linux 7 (Core)!

Set hostname to <5c24e9ce322a>.
Initializing machine ID from random generator.
Failed to install release agent, ignoring: File exists
Running in a container, ignoring fstab device entry for /dev/disk/by-uuid/b5b1eafa-7605-4eea-83d6-9ee36e9b867a.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Reached target Encrypted Volumes.
[  OK  ] Reached target Swap.
[  OK  ] Created slice Root Slice.
...
...
[  OK  ] Reached target Multi-User System.
[  OK  ] Started Cleanup of Temporary Directories.
Startup finished in 17h 30min 40.032s (kernel) + 231ms (userspace) = 17h 30min 40.264s.

$ docker exec -ti $(docker ps -lq) systemctl status
● 5c24e9ce322a
    State: degraded
     Jobs: 0 queued
   Failed: 5 units
    Since: Sun 2017-02-26 17:08:26 UTC; 18s ago
   CGroup: /docker/5c24e9ce322a3e1dc21344014209c1620ba4d4dca8634f4ee739b7242931c
d0a
           ├─ 1 /dev/init -- /usr/lib/systemd/systemd --system
           ├─ 7 /usr/lib/systemd/systemd --system
           ├─49 systemctl status
           ├─55 [systemctl]
           └─system.slice
             ├─dbus.service
             │ └─32 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfi
le --systemd-activation
             ├─systemd-readahead-collect.service
             │ └─19 /usr/lib/systemd/systemd-readahead collect
             ├─systemd-journald.service
             │ └─20 /usr/lib/systemd/systemd-journald
             └─systemd-logind.service
               └─31 /usr/lib/systemd/systemd-logind

And the Docker container runs with the following capabilities:

  • Docker 1.12.1: SYS_ADMIN

  • Docker 1.12.0: SYS_ADMIN, DAC_READ_SEARCH

  • Docker 1.11.2: no special caps required

Please share with your observations in the comment section below.

Updates

Running systemd in Ubuntu Xenial:

docker run --rm -ti \
	-e container=docker \
	-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
	--tmpfs /run \
	--tmpfs /run/lock \
	--cap-add SYS_ADMIN \
	ubuntu:xenial /bin/systemd --system

It will not output anything, but systemd is working:

docker exec -ti $(docker ps -lq) systemctl status


The postings on this site are my own and don't necessarily represent my employer’s positions, strategies or opinions.

© Andy, 2022 — built with Jekyll using Lagom theme